INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE SAFETY AND SECURITY? QUIZ FOR THE END QUESTIONS

INFORMATION SECURITY - HIGH-LEVEL CONCEPTS INFORMATION SECURITY (IS) IS DESIGNED TO PROTECT THE CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF COMPUTER SYSTEM DATA FROM THOSE WITH MALICIOUS INTENTIONS INFORMATION SECURITY - THE PRACTICE OF PROTECTING INFORMATION FROM UNAUTHORIZED ACCESS, USE, DISCLOSURE, DISRUPTION, MODIFICATION, PERUSAL, INSPECTION, RECORDING OR DESTRUCTION. IT IS A GENERAL TERM USED REGARDLESS OF THE FORM THE DATA MAY TAKE (E.G. ELECTRONIC, PHYSICAL) - WIKIPEDIA INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE. OPEN UNIVERSITY INFORMATION SECURITY IS THE SET OF BUSINESS PROCESSES THAT PROTECTS INFORMATION ASSETS REGARDLESS OF HOW THE INFORMATION IS FORMATTED OR WHETHER IT IS BEING PROCESSED, IS IN TRANSIT OR IS BEING STORED INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE.

WHY DOES IT MATTER? - ANY OF THESE LOOK FAMILIAR?

RECENT SECURITY ISSUES Period Threats / Attacks Vulnerabilities Impact Yahoo! email hack Not disclosed 273 million reportedly hacked, specific number of affected accounts not disclosed DDoS attack on Bitcoin Code integrity No specific breach published; Jan Mar 2014 NTP DDoS Vulnerability uncovered DDoS attack on UK Ministry of Justice Not disclosed No breach Sophisticated attack on Neiman Marcus retail infrastructure Missed detections (or insufficient data exfiltration detection capability) Heartbleed vulnerability published Credit card information of 350,000 individuals stolen. Chinese individuals hacked into US companies Not disclosed Not published Public utility control system hacked in the US Brute-forced employees login passwords Not disclosed Apr Jun 2014 Evernote subjected to DDoS attack Not disclosed Service disruption to 100 million Evernote users P.F. Chang s restaurants cardholder data infrastructure compromised Not disclosed Credit and debit card information from 33 restaurants stolen and reportedly sold online Organisers of Brazil 2014 World cup DDoS ed Not disclosed Disruption to numerous brad July Sep 2014 Bash / ShellShock vulnerability released; affecting millions of devices worldwide Sony pictures hack Not fully disclosed Disruption of movie production, movie revenue and employee/talent relations Oct Dec 2014 Sony PlayStation and Microsoft Xbox attacked for days over the Christmas holiday OpenSSL vulnerability released, affecting millions of software and hardware devices Not disclosed Microsoft and Sony unable to serve millions of customers worldwide

TO THE BUSINESS ; WHAT IS RISK? THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000) EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR LIKELIHOOD IS INADEQUATE OR INCOMPLETE Information Asset Threat Vulnerability

POSITIVE PERSPECTIVE THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000) EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR LIKELIHOOD IS INADEQUATE OR INCOMPLETE Information Asset Opportunity Strength

SECURITY ARCHITECTURE - HIGH-LEVEL CONCEPTS SECURITY ARCHITECTURE - ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS/COUNTERMEASURES/SAFEGUARDS ARE POSITIONED AND HOW THEY RELATE TO THE OVERALL SYSTEMS ARCHITECTURE FOR THE PURPOSE TO MAINTAINING THE SYSTEM'S QUALITY ATTRIBUTES OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY. WIKIPEDIA THE DESIGN ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS (= SECURITY COUNTERMEASURES) ARE POSITIONED, AND HOW THEY RELATE TO THE OVERALL IT ARCHITECTURE. THESE CONTROLS SERVE THE PURPOSE TO MAINTAIN THE SYSTEM S QUALITY ATTRIBUTES, AMONG THEM CONFIDENTIALITY, INTEGRITY, AVAILABILITY, ACCOUNTABILITY AND ASSURANCE. OPENSECURITYARCHITECTURE.ORG SECURITY ARCHITECTURE IS A UNIFIED SECURITY DESIGN THAT ADDRESSES THE NECESSITIES AND POTENTIAL RISKS INVOLVED IN A CERTAIN SCENARIO OR ENVIRONMENT. IT ALSO SPECIFIES WHEN AND WHERE TO APPLY SECURITY CONTROLS. THE DESIGN PROCESS IS GENERALLY REPRODUCIBLE. TECHOPEDIA ENTERPRISE INFORMATION SECURITY ARCHITECTURE (EISA) IS THE PRACTICE OF APPLYING A COMPREHENSIVE AND RIGOROUS METHOD FOR DESCRIBING A CURRENT AND/OR FUTURE STRUCTURE AND BEHAVIOUR FOR AN ORGANIZATION'S SECURITY PROCESSES, INFORMATION SECURITY SYSTEMS, PERSONNEL AND ORGANIZATIONAL SUB- UNITS, SO THAT THEY ALIGN WITH THE ORGANIZATION'S CORE GOALS AND STRATEGIC DIRECTION. - WIKIPEDIA

IT IS ABOUT POSITIONING DISTINCTION AND AUTHENTICITY AND THE THINGS WE CARE ABOUT

NIRVANA ARCHITECTURE NO ARCHITECTS NEEDED Common business security problem. Business security aspiration Security Architecture bridges the gap

THE MIND OF A SECURITY ARCHITECT Principles Risk-based and policy-driven Policy-based access to services Ease of use / low friction Data access control Service minimisation Limit what your system say Audit Logging and Monitoring Principles (continued) Secure by design Defense-in-depth Segregation of trust domains Secure down to the weakest link Protection against insider and outsider attacks Trust levels Least Privilege Separation of duties

AN ARCHITECTURE DEVELOPMENT METHODOLOGY Focus of secure business technology outcomes; - not just security tools Characterise system by defining data, classification, criticality, components and interfaces Ensure continuous security monitoring through integration with Security Logging and Monitoring and contract management Identify threats, vulnerabilities and pairs that result in risk to the system and data. Identify high priority risks for management and control. Leverage Threat Modelling techniques. Present implemented solution to risk owner for acceptance of residual risks. Gain authorisation for production / go-live Assess design and implementation of controls and security architecture for residual risks (Design review / Vuln Scan / Pen Test) Select appropriate controls to treat high priority risks. Determine architecture and design principles and patterns leverage available security building blocks in the proposed security architecture foundations/model.

SYSTEM CHARACTERISATION UNDERSTAND THE BUSINESS PROCESS, APPLICATION SYSTEM AND COMPONENTS WHAT TYPE/CLASSIFICATION OF DATA IS INVOLVED WHAT ARE THE SYSTEM BOUNDARIES WHAT ARE THE INTERFACES TO/FROM THE SYSTEM AND WITHIN THE COMPONENTS OF THE SYSTEM WHO HAS RISK DECISION ON THE CRITICALITY OF THE SYSTEM WHO HAS RISK DECISION OF THE IMPACT OF SECURITY RISK ON DATA LOSS, UNAUTHORISED DISCLOSURE AND UNAUTHORISED MODIFICATION WHAT IS THE BUSINESS IMPACT OF ANY OF THESE SECURITY CONCERNS? WHAT ARE THE KNOWN WEAKNESSES, BUGS AND TECHNICAL SECURITY VULNERABILITIES (IF IT IS AN EXISTING SYSTEM) CURRENT BUSINESS RISK POSTURE OF THE SYSTEM

RISK ASSESSMENT ONE OF RISK MANAGEMENT ESTIMATE POTENTIAL DAMAGE TO THE SYSTEM IN THE EVENT OF THREAT MATERIALISING BUSINESS IMPACT ASSESSMENT IDENTIFY THREAT AND ESTIMATE LIKELIHOOD OF MATERIALISING THREAT MODELLING IDENTIFY VULNERABILITIES, WEAKNESSES AND ISSUES WITH THE SYSTEM (OR POTENTIAL ONES) AND LIKELIHOOD OF THEM BEING EXPLOITED ISSUES IDENTIFICATION / SECURITY ASSESSMENT USE THREAT-VULNERABILITY PAIRING TO DETERMINE MOST LIKELY RISK EVENT THAT COULD MATERIALISE RISK SCORING PRIORITISE THE RISK ACCORDING TO THEIR LEVELS RISK PRIORITISATION QUANTIFY RISKS AND REVIEW WITH STAKEHOLDERS RISK QUANTIFICATION / COST BUDGETING

SELECTION OF CONTROLS PLUS ARCHITECTURE & DESIGN FOLLOW ORGANISATION DEFINED SECURITY GUIDELINES AND POLICIES (ACCESS CONTROL, PASSWORD MANAGEMENT, REGULATORY COMPLIANCE, BUSINESS VALUES ETC) SELECT CONTROLS FROM DEFINED CONTROLS CATALOGUE, OR FROM INDUSTRY STANDARDS SUCH AS NIST 800-53 AND ISO 27001/2) LEVERAGE SECURITY ARCHITECTURE BUILDING BLOCKS (FROM BEST PRACTICE FRAMEWORKS SUCH AS SABSA) REUSE EXISTING SECURITY SERVICES, RATHER THAN BUILD NEW ONES (REUSE BEFORE BUY BEFORE BUILD) BE CREATIVE (USING THE MIND OF A SECURITY ARCHITECT )

IMPLEMENTATION ASSESSMENT, AUTHORISATION AND CONTINUOUS MONITORING Design reviews, build/code reviews, source code analysis, vulnerability assessment, security testing (application / penetration testing) plus remediations to acceptable risk levels Risk acceptance criteria e.g. accepts vulnerabilities with Common Vulnerability Scoring System (CVSS) of less than 4.0 to maintain PCI DSS compliance; address all DoS vulnerabilities on critical systems that require high-availability; approval to go live with the system and the cycle begins again Feeds of security events and logs to security information and event management (SIEM) tools, horizon scanning of threat intelligence and monitoring of exploits against accepted risk posture which may require revision of system characterisation.

WHEN IS SECURITY ARCHITECTURE COMPLETE? WHEN SECURITY ARCHITECTS & SECURITY RISK SPECIALIST (AND OTHER ARCHITECTS) ARE NO LONGER NEEDED START LOOKING FOR ANOTHER JOB Bridging the gap

RISK MANAGEMENT - HIGH-LEVEL CONCEPTS RISK MANAGEMENT IS THE PROCESS OF IDENTIFYING THE CRITICALITY OF AN ASSET, IDENTIFYING RISK, IDENTIFYING CONTROLS THAT ARE APPLICABLE BEARING IN MIND THE CRITICALITY OF THE ASSET, PROBABILITY OF OCCURRENCE, IMPACT AND COST OF APPLYING CONTROLS. RISK IS ASSESSED AS BOTH A PROBABILITY OF OCCURRENCE AND A MAGNITUDE OF EFFECT OR THE PRODUCT OF THE TWO. STRATEGY IS TO ACCEPT, AVOID, REDUCE OR TRANSFER RISK. SECURITY RISK MANAGEMENT - A PROCESS FOR IDENTIFYING, PRIORITIZING AND MANAGING INFORMATION SECURITY RISK TO AN ACCEPTABLE LEVEL WITHIN AN ORGANIZATION RISK MANAGEMENT IS A COMPREHENSIVE PROCESS THAT REQUIRES ORGANIZATIONS TO: (I) FRAME RISK (I.E., ESTABLISH THE CONTEXT FOR RISK-BASED DECISIONS); (II) ASSESS RISK; (III) RESPOND TO RISK ONCE DETERMINED; AND (IV) MONITOR RISK ON AN ONGOING BASIS USING EFFECTIVE ORGANIZATIONAL COMMUNICATIONS AND A FEEDBACK LOOP FOR CONTINUOUS IMPROVEMENT IN THE RISK-RELATED ACTIVITIES OF ORGANIZATIONS. NIST (800-39) RISK MANAGEMENT IS AN ACTIVITY DIRECTED TOWARDS ASSESSMENT, MITIGATION, AND MONITORING OF RISKS TO AN ORGANIZATION. INFORMATION SECURITY RISK MANAGEMENT IS A MAJOR SUBSET OF THE ENTERPRISE RISK MANAGEMENT PROCESS, WHICH INCLUDES BOTH THE ASSESSMENT OF INFORMATION SECURITY RISKS TO THE INSTITUTION AS WELL AS THE DETERMINATION OF APPROPRIATE MANAGEMENT ACTIONS AND ESTABLISHED PRIORITIES FOR MANAGING AND IMPLEMENTING CONTROLS TO PROTECT AGAINST THOSE RISKS. - CONFLUENCE

RISK MANAGEMENT AN OVERVIEW

ESSENTIAL RISK MANAGEMENT RISK PRIORITISATION Start risk Start risk prioritization Conduct summary ry- level risk prioritization Summary level risk prioritization Review with stakeholders Conduct detailed- level risk prioritization Detailed level risk prioritization End of risk prioritization

CONDUCTING SUMMARY-LEVEL RISK PRIORITIZATION 3 1 2 4 High.. Likely ly one or more impacts expected within one year Medium m.. Probable le impact m expected within two to three years Low. Not probable le impact not expected to occur within three years THE SUMMARY-LEVEL PRIORITIZATION INCLUDES THE FOLLOWING: 1. DETERMINE IMPACT LEVEL 2. ESTIMATE SUMMARY-LEVEL PROBABILITY 3. COMPLETE THE SUMMARY-LEVEL RISK LIST 4. REVIEW WITH STAKEHOLDERS

IMPLEMENTING CONTROLS 4 Measuring Program Assessing Risk Effectiveness 1 3 Implementing Controls 2 Seek a holistic approach ac Organize by Defense se-in in- n-depth Conducting Decision Support

A GENERIC ASSET RISK ASSESSMENT APPROACH Identification & Classification Business Impact Assessment Risk Assessment Remediation Identify Data Assets Information Risk Assessment Perform Business Impact Identify Business Processes Assessment (of data assets, IT Application Risk Assessment Define Remediation Activities applications) Identify IT Applications Record Risks (using bow ties) PHASE 1 PHASE 2 PHASE 3 PHASE 4

IT SECURITY ARCHITECTURE RELATIONAL ENTITY

HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE SAFETY VS SECURITY

SAFETY ENFOLDS, ITS INTERNAL, SAFETY IS A FEELING SECURITY SURROUNDS AND COULD BE EXTERNAL I.E. AN OVERACHIEVING UMBRELLA PROTECTING OUR SAFETY SECURITY AS A SAFEGUARD PERCEPTION IS REALITY 100% SECURITY IS NIRVANA SAFETY VS SECURITY?

QUESTIONS